In the first 10 pages of “Anéantir”, the latest fictional book by Michel Houellebecq, famed French novelist, he writes about two hackers commenting on their remote attacks against a French Nuclear plant:
“for forty-eight hours they had control of the system and could have triggered an emergency shutdown protocol for the reactor, thus depriving several French departments of electricity. On the other hand, they would not have been able to trigger a major nuclear incident: to penetrate the heart of the reactor, a 4,096-bit encryption key was missing, which they had not yet been able to crack.”
Reading this made me cringe because, first, I always seek in Houellebecq dramatic realism of which this part was lacking, and second, it sent me back to my work and hit too close to home. You know how it feels when we security professionals read about cybersecurity in fiction? I still shudder remembering Dan Brown’s “Digital Fortress” extreme inaccuracies on encryption. Hopefully, nuclear reactors are not protected with encryption keys from remote attacks! Although some readers may think “4096 bits! That’s so secure,” In reality, it is not – A key is always stored somewhere, and more bits won’t necessarily keep your communications secret or your systems safe. So, let’s zoom-in on how modern nuclear plants are actually protected to still realize the efficiencies of digitization.
Critical infrastructure is best protected from remote attacks by physically restricting traffic – not software or encryption. When it comes to an external attack, most nuclear standards recommend or require truly intrinsically unidirectional communications. This enables the efficiency of digitization, the sharing of real-time data outside the operational network, without the risks of remote attacks. The IAEA (International Atomic Energy Agency) for example, requires this from safety-critical into less-critical networks. Similarly, US NRC2 permits only “deterministic” unidirectional communications between safety-critical and any less-critical functions. A hacker, no matter how sophisticated, will not be able to remotely penetrate a plant protected by unidirectional technologies such as Waterfall’s Unidirectional Gateways.
For nuclear generators, standards such as NRC 5.71, NEI 08-09, CSA N290.7-14 and IAEA 17-T all require or strongly recommend hardware-enforced, deterministic unidirectional gateway communications. More generally, Waterfall’s gateways simplify compliance with a wide variety of standards and best practices
In contrast, firewalls are both bi-directional and software based. Bi-directional communications are by definition not unidirectional, and software-based protection is by definition not deterministic. The same with encryption, or authentication. Someone can guess a password, or extort the key from the holder, or find a flaw in the encryption software itself. That happens routinely. Even inside the plant, where firewalls and other software protection are implemented to protect from insider attacks, other physically un-hackable safeguards are implemented to prevent the consequences of an automated cyberattack.
In defense of Michel Houellebecq, his book is set in a near future. Perhaps maybe in this near future, the cybersecurity mentality focused only on information won and they created a fully interconnected world protected only by encryption and authentication. Perhaps then, this will be, as the very talented Nicole Perloth puts it in his much more accurate description of cyberattacks, “how they tell me the world ends”.
To learn more about protecting about nuclear generators, download the ebook